From eeae11a36b3b502bc8d16394663c5393c56c6f5f Mon Sep 17 00:00:00 2001
From: kenpat <kenpat7177@gmail.com>
Date: Mon, 15 Jun 2026 09:23:05 -0500
Subject: [PATCH] 2026-06-15: document Uptime Kuma tunnel route blocker

---
 project-kitestacks-migration.md | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md
index e04913d..a89c156 100644
--- a/project-kitestacks-migration.md
+++ b/project-kitestacks-migration.md
@@ -424,6 +424,15 @@ Verified current live state on monk before making changes:
   `TUNNEL_TOKEN`. Do not print that token; treat it as sensitive. Routing
   changes must be made through Cloudflare's tunnel API/dashboard unless a
   suitable Cloudflare API token is available locally.
+- Local validation after the Authentik binding: `curl -I -H 'Host:
+  status.kitestacks.com' http://localhost:9001` returns `302` to
+  `https://status.kitestacks.com/outpost.goauthentik.io/start?...`, proving
+  the embedded outpost/proxy provider works when traffic reaches Authentik.
+- No suitable Cloudflare API token was found during the local search; only the
+  cloudflared connector tunnel token is present. Remaining blocker is changing
+  the Cloudflare Tunnel public hostname for `status.kitestacks.com` from
+  `http://uptime-kuma:3001` to `http://authentik:9000` (or equivalent
+  Authentik service target in the Tunnel UI).
 
 Important security hygiene: local git remote for `~/claude-memory` contains an
 HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in